The security challenges of SD-WAN - and how to defend against them

The primary job of the WAN is connecting distributed users to the applications they need to their jobs.

However, applications have changed significantly over the past handful of years and this is why Silver Peak says in its recent report that software-defined wide area networks (SD-WAN) are a much better fit than traditional router-centric WANs - particularly for businesses pursuing a cloud-first strategy for application delivery.

An example of this is the fact that the majority of applications are no longer hosted in a regional/centralised corporate data centre, with the percentage dwindling as modern organisations continue to embrace the cloud in general and SaaS applications in particular.

Higher quality demands from modern applications, the Internet of Things (IoT) and big data apps which are stretching the boundaries in terms of the growing volume of data today’s WAN must be able to handle.

Silver Peak says the impact of these changes to the application landscape is that the enterprise WAN needs to change too. For example, traditional, private line connectivity options (such as multi-protocol label switching, or MPLS) and routing practices – backhauling, in particular – are clearly a poor match for cloud-apps, burgeoning amounts of internet traffic, and peer-to-peer interactions.

Some of the key shortcomings include the high cost of such network services and architectures, the negative impact they have on performance as well as the fact they are too rigid.

SD-WAN in comparison enables enterprises to leverage multiple types of network connectivity - including broadband internet services - when connecting users to applications. However, this brings in another problem and that is the number of security challenges and issues that are introduced by or associated with SD-WAN.

The use of broadband internet as a low-cost connectivity options is core to the SD-WAN value proposition, however, Silver Peak says the fact that broadband is ‘public’ and not ‘private’ means there is a need to ensure the confidentiality and integrity of application traversing such connections.

And of course, inline deployment of SD-WAN devices places them ‘in the line of fire’ so to speak – at least compared to the scenario where a traditional WAN optimiser is implemented in an out-of-path configuration.

Silver Peak uses the example of internet breakout, essential for enhancing performance and reducing the bandwidth (i.e. dollars) needed for backhauling - but also able to expose branch users and their local networks directly to the internet and its myriad threats.

This brings about the need to limit outbound destinations, block unwanted/unsolicited inbound traffic and filter allowed/expected traffic for threats. However, not all web applications are created equal, and some web traffic can expose the enterprise to viruses, trojans, DDoS attacks and other vulnerabilities.

“To implement such a policy, web traffic must be steered granularly to its correct destination. This requires identifying the application on the first packet because once an application session has been established, it cannot be redirected to an alternate destination without breaking the flow resulting in application disruption,” Silver Peak states.

“And because IP address ranges utilised by SaaS applications change almost continuously, address table updates must be automated and implemented on a daily basis.”

There are a number of other areas areas where security is applicable to the success of an SD-WAN implementation including:

Enabling applications with different security requirements to share the same physical connectivity

Enabling consistent enforcement of an application’s specific security policies regardless of where that application is located, or accessed from

So how can a business benefit from implementing SD-WAN without exposing themselves to the risks? Silver Peak EdgeConnect is the answer.

The industry’s most complete SD-WAN solution, EdgeConnect provides enterprises with the flexibility to use any combination of transport technologies to connect users to applications – including public broadband services – without compromising application performance or security.